Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Adapt or Die Sydney - API Security

357 vues

Publié le

Learn about how to protect your digital assets from known external threats at the API layer. Secure your assets against threats like SQL injection, JSON threat protection and application DoS. Protect your apps from cyber threats and bad bots with data-driven enterprise grade API security and Adaptive Threat Protection.

Publié dans : Technologie
  • Soyez le premier à commenter

Adapt or Die Sydney - API Security

  1. 1. ©2016 Apigee Corp. All Rights Reserved. API Security? No! APIs FOR Security! Greg Brail
  2. 2. ©2016 Apigee Corp. All Rights Reserved. Agenda What Happens to Insecure APIs Fundamental API Security Using Apigee Edge to Enforce Security Advanced Security with Apigee Sense
  3. 3. ©2016 Apigee Corp. All Rights Reserved. No API Security?
  4. 4. ©2016 Apigee Corp. All Rights Reserved. I have an API!
  5. 5. ©2016 Apigee Corp. All Rights Reserved. But I Don’t Have an API!
  6. 6. Are you sure you don’t have an API? 6 Wired, 9/22/15 www.ifc0nfig.com, 1/5/15 troyhunt.com, 2/24/16 Everything with a URI has an API
  7. 7. Some API Security Breaches Breach Reason Source Buffer Compromised third-party admin password; OAuth secret in GitHub ProgrammableWeb Snapchat No authentication; no rate limit Gibson Security Multiple Kardashian Apps No authentication or authorization Wired MoonPig No authentication or authorization www.ifc0nfig.com Facebook Graph API Users can delete other users’ photos; Improper authorization check ProgrammableWeb IRS GetTranscript Application Password reset mechanism relied on personal data IRS Instagram Malicious app was stealing passwords; no approval process Daily Dot Nissan Leaf VIN number only security credential on API Troy Hunt Tesla Model S Six-character password that’s easily guessable Security Affairs, Elsewhere
  8. 8. ©2016 Apigee Corp. All Rights Reserved. Nissan Leaf • http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html • No authentication on some APIs – Climate control, battery status – Only VIN number required • User ID leaked by some of those APIs
  9. 9. • No rate limit on request to get friends by phone number • Hard-coded encryption key • Weak cipher • http://gibsonsec.org/snapchat/ Snapchat
  10. 10. Mobile Banking Apps • Security researcher Ariel Sanchez examined 20 iOS banking apps from banks around the world • More than 30% used non-TLS- encrypted links for at least part of the app • Down from 90% two years ago • Demonstrated JavaScript interception of some apps’ “login” page to gather passwords 10 Ariel Sanchez, blog.ioactive.com
  11. 11. A South Asian Bank • Security researcher Sathya Prakash tested the security of the app he used for one of his bank accounts • Found many major flaws and one huge one • All validation of account numbers for funds transfers was performed in the mobile app only – not on the server 11
  12. 12. ©2016 Apigee Corp. All Rights Reserved. Fundamental API Security
  13. 13. ©2016 Apigee Corp. All Rights Reserved. You Have an API
  14. 14. ©2016 Apigee Corp. All Rights Reserved. Simpler is Better API • Well-known URI pattern • Documented schemas • Well-known authentication model • Well-known authorization model • One way to secure all API calls Web App • Totally dynamic URI pattern is harder to test • Specified inputs and outputs can be tested • Haphazard authentication hard to test • Haphazard authorization hard to test • Multiple implementations hard to test
  15. 15. ©2016 Apigee Corp. All Rights Reserved. Simpler Means More Secure • Don’t agree? Let’s look at web apps: – Cross-site scripting – Insecure URIs in links – Cross-site request forgery – Insecure redirects – Insecure third-party pages – Insecure and malicious JavaScript
  16. 16. ©2016 Apigee Corp. All Rights Reserved. What Do Apigee Customers Do? 74% OAuth 78% Spike Arrest 72% Threat Protection
  17. 17. ©2016 Apigee Corp. All Rights Reserved. What do Others Do? • A wide variety of solutions out there • 87% percent have “API management” • 83% are “concerned” about API security
  18. 18. ©2016 Apigee Corp. All Rights Reserved. What You Need to Do • Prevent unauthorized applications • Prevent unauthorized users • Prevent excessive traffic • Prevent content attacks • Watch for trouble • React to trouble
  19. 19. ©2016 Apigee Corp. All Rights Reserved. APIs for Controlled Access • APIs provide a controlled way for third parties to access a service • Not having an API means that third parties will find another way • For instance, JPMorgan Chase wrote in its annual report:
  20. 20. ©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Applications • Application Authorization is a fundamental part of API security – Best way to stop runaway applications – Only options for certain types of apps (anonymous API access) – Requirement for all forms of OAuth • Best practices – Use different credentials for each version of each app – Makes it easier to pull a bad version – Hide the app credentials as best you can • Realize that they still can be stolen – Have an approval process for apps
  21. 21. ©2016 Apigee Corp. All Rights Reserved. Follow OAuth Best Practices • Use “Authorization Code” for native apps • Follow all rules about CSRF, etc. • Keep up with the the IETF work here: – https://tools.ietf.org/wg/oauth/
  22. 22. ©2016 Apigee Corp. All Rights Reserved. Prevent Unauthorized Users • Authenticate all end users for critical apps – Only way to keep security credentials outside the app • Only as good as identity management – For instance, dodgy password reset practices – Can you get identity a service?
  23. 23. ©2016 Apigee Corp. All Rights Reserved. Prevent Excessive Traffic • Protect APIs that are vulnerable to brute force – Validating password – Validating anything – Anything where the only ID is in a small space • Protect from runaway applications – Denial of service is also an attack – Excessive usage may mean data is being harvested – Not always an attack – developers make mistakes
  24. 24. ©2016 Apigee Corp. All Rights Reserved. Prevent Content Attacks • Accepting JSON over the Internet? – Excessive identifier length – Excessive nesting – Large arrays and elements • Accepting XML over the Internet? – All that and more • Are you sure there can’t be SQL injection? – Regular expression checks
  25. 25. ©2016 Apigee Corp. All Rights Reserved. Watch for Trouble • Monitor the API – Usage patterns – Usage patterns by application – Latency – Error rate • Monitor the world too – Unusual tweets? – Other social media?
  26. 26. ©2016 Apigee Corp. All Rights Reserved. React to Trouble • Do you have application-level authentication? – Revoke app credentials – Change rate limit – Redirect app to another URL • No application-level authentication? – Insert additional logic – Worst case: shut down the API until it’s fixed
  27. 27. ©2016 Apigee Corp. All Rights Reserved. Enforcing Security with Apigee Edge 27©2016 Apigee Corp. All rights reserved.
  28. 28. ©2016 Apigee Corp. All Rights Reserved. Security is embedded into Apigee API Management 28 Back-end RBAC management IDM Integration Global Policies User Provisioning AD / LDAP Groups Quota/Spike Arrest SQL threat protection JSON bomb protection IP based restrictions Bot Detection Data Privacy Two way TLS API key OAuth2 Threat Protection Identity Mgmt & Governance Manageme nt Server Portal Analytics API MANAGEMENT Data Privacy Two-way TLS Southbound VPN IP Access Control Logging & Auditing Data Privacy Org Boundaries Encryption SOC 2, PCI-DSS, HIPAA Access Control OAuth2 API Key Verification IP Access Control Logging & Auditing Apps
  29. 29. ©2016 Apigee Corp. All Rights Reserved. Security by configuration 29
  30. 30. ©2016 Apigee Corp. All Rights Reserved. Advanced Security with Apigee Sense 30
  31. 31. ©2016 Apigee Corp. All Rights Reserved. API threats faced by customers today • Threats are Adaptive – Blend with human behavior • Bots can probe for API security weakness • Competitors can scrape your price data • Bots can be programmed for Bruteforce attacks (DDoS) • Bots can abuse guest accounts • Bot traffic skews analytics and KPIs • Bots create performance overhead on Web Operations • Bots can use your API keys to access private APIs 31
  32. 32. ©2016 Apigee Corp. All Rights Reserved. What is Apigee Sense? • A new adaptive API security product to prevent sophisticated bot attacks • Detects threat patterns at the API layer, including bot attacks • Enables you to take actions on bots you find 32
  33. 33. ©2016 Apigee Corp. All Rights Reserved. Closed Loop Protection – Analyze, Detect, Protect 34 API clients Target Services API Dashboard Machine Learning Models and Rules Action (Block/Throttle/Alert) Blacklist Your Traffic System-wide Purchased
  34. 34. ©2016 Apigee Corp. All Rights Reserved. Conclusion • We saw lots of places where APIs were compromised – Many of these had nothing to do with an “API” • Biggest vulnerability is having an API and not realizing it – Everything with a URL has an API • Well-defined APIs can be secured – Lots of widely-known techniques and technology • A properly-secured API is verifiable • Use it!
  35. 35. Thank you 36

×